Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

Search for:

Mandiant APT1 report, some unanswered questions.

Posted February 21, 2013 Marc Maiffret

For the last several years there has been an increasing number of accusations being made against China and its military as being behind the systematic targeting of organizations throughout the world in a sophisticated hacking campaign to steal data and access to further China’s economic, military and social agendas. These accusations come from a mass of security industry researchers, government officials, and even victim organizations themselves. Throughout all of the claims and data provided, there has yet to be concrete evidence that proves China is indeed behind these vast attacks. This is due in part to the difficult task of attributing a specific person, group or country to a given attack.

This week the landscape of attribution in these attacks has seemingly shifted into not one of opinion of China’s involvement but rather unmistakable evidence of their involvement; if not still slightly betting on the principle of Occam’s razor. The catalyst for this change was a research report released by security firm Mandiant. Within the 74 page report by Mandiant is one of the clearest cases yet to be made as to the involvement of China in the continuing spree of hacking attacks targeting some of the world’s most important organizations.

At the heart of Mandiant’s evidence are statistically heavy assertions that a vast number of the attacks they have investigated lead back to systems in China, and more specifically, to four large computer networks in Shanghai. This includes two of the four networks which reside within the Pudong New Area of Shanghai which happens to house China’s People’s Liberation Army (PLA’s) Unit 61398. Mandiant goes on to further show Unit 61398 as being part of a cyber-arm of the Chinese military and as such leaving the reader with the choice of believing a sophisticated multi-year enterprise wide hacking spree has been happening right under the nose of one of the most “big brother” regimes in history or the more likely idea that in fact Unit 61398 is specifically the government sanctioned organization behind these hacking attacks.

Their data in pointing the finger at Unit 61398 does not stop at simply the coincidence of network location. It is well understood in the security industry that an attacker can cover their tracks and hop through many countries and networks until they reach their final destination. Mandiant, however, removes doubt by providing information that shows the hackers behind these attacks do not only seemingly originate near or at Unit 61398’s location but that the hackers appear to predominantly leverage Chinese language computer systems in performing their attacks. This further removes doubt of who the bad actors are in these attacks, as it would be extremely operationally intensive for a non-Chinese actor, such as a rogue hacker group in another country or foreign government, to employ the number of Chinese reading and writing hackers as Mandiant claims are behind these attacks.

While the report provides the most concrete public assessment to date as to China’s involvement in widespread computer attacks, it also introduces a lot of questions that need to be answered. A lot of these unanswered questions center around not who was behind the attacks or what they did after successfully breaching computer networks, but how these attackers were able to compromise some of the most important organizations in the world.

There is a systemic problem within the computer security industry; as an industry we are really good at saying what the bad guys do once they get in but rarely are we good at saying how they got in. The Mandiant report does offer some data on how companies were targeted and compromised. That data is largely around examples of companies being compromised via malicious email attachments and vague references to web based attacks. Had the report been only about attribution to China without mention of these attack vectors, then one might not need to pose these questions.

The most concrete examples of attacks were those around emails that were specialty crafted for their intended targets. These emails were crafted to be believable emails that a target would have some level of trust with and therefore follow through in opening the attachment included within the email. The email attachments were typically compressed zip archives that contained executable programs, which sometimes appeared, based on the programs icon file image, to be Adobe Reader documents. Once a victim opened and executed one of these attachments, malware would be downloaded to the victim’s system to give attackers remote access to do as they pleased.

This style of email attachment attack where by an attacker embeds a malicious program within a compressed zip file and tricks a user into executing it is nothing new. In fact, in the 90’s, this style of attack was so prolific it forced Microsoft in ~1998 to change the behavior of their popular Outlook email program to disallow the receiving of executable attachments by default. While Outlook can still receive executable attachments within compressed zip files, it is a long known security best practice for companies to deny inbound executable attachments, even when they are within compressed zip files. This is something that even popular email services such as Google’s Gmail do by default both for executables and executables within zip files.

There is no debate that attackers will always use their most basic attacks to compromise systems as there is no point in exposing your best tools when you do not need to. There is also not much doubt that your average computer user can easily be duped into opening and running attachments. That is why even everyday cybercrime attacks employ these same attack methods, knowing that your average home user is not behind any corporate security perimeter with a basic level of security filtering in place. But the computers presumably targeted by the Chinese military are not your average consumer computers, rather those at organizations of interest to the Chinese government.

If one were to base a conclusion from the attack data supplied within the Mandiant report, they would be left with concluding that some of the most important organizations within the United States and elsewhere fell victim to the Chinese military because these organizations failed to implement 1990’s security best practices on email attachment—filtering of executables and executables within compressed zip files.

There are alternative conclusions, such as Mandiant having simply chosen to give only data on the unsophisticated examples of attacks the Chinese perform, while keeping their knowledge of the more sophisticated attacks out of the report. There is also the possibility that China’s Unit 61398 is their less sophisticated group or a combination of both entry-level and advanced hackers.

Mandiant gives examples of different personas they tracked related to these attacks. In some cases, the personas show a lack of operational security to the extent of reusing the same online identities and signatures within public forums and security sites and also within some of the specific malware created by the Chinese hackers Mandiant describes. Those basic mistakes are not in line with sophisticated attackers, rather those that would employ such basic email attachment attacks.

It is without a doubt that China, like every other modern nation, has talented hackers and sophisticated attack tools not mentioned in this Mandiant report. It is also without doubt that one can conclude Mandiant has unleashed with this report a tidal-wave of organizational review within the Chinese military that will lead to the bettering of their capabilities and operational safeguards. One can only assume what level of review and organizational changes victims of Unit 61398 have done, especially those unable to prevent the basic email attachment attacks.

In Mandiant’s report, they include a memo from China Telecom. The memo, within a single page, makes a case and asks for the expedient approval of telecommunications needs of Unit 61398 to be able to perform their mission. The simplicity in which this was proposed, and one assumes approved, is probably the most important take away in all of this. When you get beyond the technical whodunit and how, the determining factor in winning this race is being able to make the right decisions quicker than one’s opponent. Colonel John Boyd would surely be hugely disappointed in us.

In this webinar, SANS Instructor and Founder of Voodoo Security, Dave Shackleford, will revisit several hacking and breach scenarios that involved privileged accounts, and use these as examples while discussing tools and tactics to get this problem under control once and for all.

There’s plenty of problems we don’t have great options for in InfoSec today. Malware is a pain point that keeps evolving rapidly. 0-day exploits are tough to prepare for. Privileged account management? We got this. We know the root causes, we know how it manifests, we know how to get it under control effectively, and there are great technology solutions that are enterprise-class.